New critical Apache Struts flaw exploited to find vulnerable servers

Share:

A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices.

Apache Struts is an open-source framework for building Java-based web applications used by various organizations, including government agencies, e-commerce platforms, financial institutions, and airlines.

Apache publicly disclosed the Struts CVE-2024-53677 flaw (CVSS 4.0 score: 9.5, “critical”) six days ago, stating it is a bug in the software’s file upload logic, allowing path traversals and the uploading of malicious files that could lead to remote code execution.

It impacts Struts 2.0.0 through 2.3.37 (end-of-life), 2.5.0 through 2.5.33, and 6.0.0 through 6.3.0.2.

“An attacker can manipulate file upload parameters to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution,” reads the Apache security bulletin.

In short, CVE-2024-53677 allows attackers to upload dangerous files like web shells into restricted directors and use them to remotely execute commands, download further payloads, and steal data.

The vulnerability is similar to CVE-2023-50164, and there’s speculation that the same issue has re-emerged due to an incomplete fix, a problem that has previously plagued the project in the past.

ISC SANS’ researcher Johannes Ullrich reports seeing exploitation attempts that appear to use publicly available exploits or are at least heavily inspired by them.

“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” reports Ullrich.

Attackers are enumerating vulnerable systems by using the exploit to upload an “exploit.jsp” file that contains a single line of code to print the “Apache Struts” string.

The exploiter then attempts to access the script to verify that the server was successfully exploited. Ullrich says the exploitation has only been detected from a single IP address, 169.150.226.162.

To mitigate the risk, Apache says users should upgrade to Struts 6.4.0 or later and migrate to the new file upload mechanism.

Merely applying the patch isn’t enough, as the code that handles file uploads in Struts applications needs to be rewritten to implement the new Action File Upload mechanism.

“This change isn’t backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor,” warns Apache.

“Keep using the old File Upload mechanism keeps you vulnerable to this attack.”

With active exploitation underway, multiple national cybersecurity agencies, including those in Canada, Australia, and Belgium, have issued public alerts urging impacted software developers to take immediate action.

Exactly a year ago, hackers leveraged publicly available exploits to attack vulnerable Struts servers and achieve remote code execution.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
3:45 am, Jul 11, 2025
weather icon 18°C
L: 17° | H: 19°
scattered clouds
Humidity: 79 %
Pressure: 1021 mb
Wind: 6 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 45%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
17° | 19°°C 0 mm 0% 8 mph 79 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 4:00 am
weather icon
16° | 18°°C 0 mm 0% 3 mph 79 % 1021 mb 0 mm/h
Today 7:00 am
weather icon
18° | 19°°C 0 mm 0% 2 mph 75 % 1021 mb 0 mm/h
Today 10:00 am
weather icon
24° | 27°°C 0 mm 0% 2 mph 57 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€99,452.99
4.61%
Ethereum(ETH)
€2,531.59
6.54%
Tether(USDT)
€0.85
-0.01%
XRP(XRP)
€2.20
6.53%
Solana(SOL)
€140.92
4.20%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.169197
9.49%
Shiba Inu(SHIB)
€0.000012
9.41%
Pepe(PEPE)
€0.000011
14.09%
Peanut the Squirrel(PNUT)
€0.245548
22.13%
Scroll to Top